如何在集群外部访问/公开kubernetes-dashboard服务? [英] How to access/expose kubernetes-dashboard service outside of a cluster?

问题描述

我有以下服务:

ubuntu@master:~$ kubectl get services --all-namespaces
NAMESPACE     NAME                   CLUSTER-IP      EXTERNAL-IP   PORT(S)         AGE
default       kubernetes             100.64.0.1      <none>        443/TCP         48m
kube-system   kube-dns               100.64.0.10     <none>        53/UDP,53/TCP   47m
kube-system   kubernetes-dashboard   100.70.83.136   <nodes>       80/TCP          47m

我正在尝试访问kubernetes仪表板.考虑到curl不是浏览器，以下响应似乎是合理的.

I am attempting to access kubernetes dashboard. The following response seems reasonable, taking into account curl is not a browser.

ubuntu@master:~$ curl 100.70.83.136
 <!doctype html> <html ng-app="kubernetesDashboard"> <head> <meta charset="utf-8"> <title>Kubernetes Dashboard</title> <link rel="icon" type="image/png" href="assets/images/kubernetes-logo.png"> <meta name="viewport" content="width=device-width"> <link rel="stylesheet" href="static/vendor.36bb79bb.css"> <link rel="stylesheet" href="static/app.d2318302.css"> </head> <body> <!--[if lt IE 10]>
      <p class="browsehappy">You are using an <strong>outdated</strong> browser.
      Please <a href="http://browsehappy.com/">upgrade your browser</a> to improve your
      experience.</p>
    <![endif]--> <kd-chrome layout="column" layout-fill> </kd-chrome> <script src="static/vendor.633c6c7a.js"></script> <script src="api/appConfig.json"></script> <script src="static/app.9ed974b1.js"></script> </body> </html> 

根据文档，正确的访问点是 https://localhost/ui .因此，我正在尝试它，并且收到了一些令人担忧的结果. 这是预期的响应吗?

According to the documentation the right access point is https://localhost/ui. So, I am trying it and receive a bit worrying result. Is it expected response?

ubuntu@master:~$ curl https://localhost/ui
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

在没有证书验证的情况下尝试相同的操作.对于卷曲，可能没问题.但是我在浏览器中也得到了相同的结果，该浏览器是通过vagrant forwarded_port选项通过端口转发进行连接的.

Trying the same without certificate validation. For curl it might be OK. but I have got the same in a browser, which is connecting though port forwarding via vagrant forwarded_port option.

ubuntu@master:~$ curl -k https://localhost/ui
Unauthorized

我在做什么错?以及如何确保我可以访问UI?当前它以未经授权的方式响应.

What I am doing wrong? and how to make sure I can access the UI? Currently it responds with Unauthorized.

仪表板的文档告诉您密码已在配置中:

The docs for the dashboard tell the password is in the configuration:

ubuntu@master:~$ kubectl config view
apiVersion: v1
clusters: []
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []

但是似乎我什么都没有... 这是预期的行为吗?如何使用用户界面进行授权?

but it seems I have got nothing... Is it expected behavior? How can I authorize with the UI?

推荐答案

官方Wiki有点令人困惑，因此我在这里对其进行了重新排序:

The offical wiki is a little bit confusing so I reordered it here:

如果您使用推荐 yaml以部署仪表板，您应该仅通过https访问仪表板，并且应该生成证书，请参考 http://localhost:8001/ui "上的信息中心.该页面需要使用令牌登录.要生成它，请参考此页面.您也可以将NodePort添加到您的Yaml中，并使用<nodeip>:<port>进行访问.

If you use the recommended yaml to deploy the dashboard, you should only access your dashboard by https, and you should generate your certs, refer to guide. Then you can run kubectl proxy --address='0.0.0.0' --accept-hosts='^*$' to visit the dashboard on "http://localhost:8001/ui". This page needs to use a token to login. To generate it, refer to this page. Also you can add NodePort to your yaml and access it using <nodeip>:<port>.

如果您使用 http替代方法进行部署方法，您可以仅通过nodeip:port 访问仪表板.请记住首先将其添加到yaml中！！ 部署后，您还应该生成令牌并为每个请求添加标头Authorization: Bearer <token> .

If you deploy using the http alternative method, you can only access your dashboard by nodeip:port. Remember to add it to yaml first!! After deployment, you should also generate your token and add header Authorization: Bearer <token> for every request.

我认为这可以为您和其他想要使用kube-dashboard的人提供帮助.

I think this can help you and others who want to use kube-dashboard.

这篇关于如何在集群外部访问/公开kubernetes-dashboard服务?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！